Two weeks ago, multiple Cisco Managed Threat Defense (MTD) customers received an email that appeared to come from the Microsoft Volume Licensing Service Center (VLSC). The email shown below is very similar to the real email Microsoft sends. It had a personalized welcome line and appears to contain a link to login to the Volume Licensing Service Center:

As the Cisco 2015 Annual Security Report shows, current security approaches aren’t sufficient. Attackers are shifting methods and becoming more sophisticated in their approaches, users are unwittingly complicit enablers, and defenders struggle to keep up with all of these things. It is time for defenders to take a different approach to security that not only outwits attackers but also makes security a competitive advantage that enables business growth.

By taking a threat-centric and operational approach to security, organizations can reduce complexity and fragmentation, while providing superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum.

Using Cisco technology, this approach is enabled by broad visibility for superior intelligence across the extended network, where all the solutions a customer deploys communicate with each other. Organizations using siloed solutions will have holes in their security. Siloed solutions do not provide full protection since they do not communicate with one another, thus leaving security gaps and the inability to create actionable intelligence.

Cisco can provide a holistic solution to this problem by reducing the attack surface and extending protection across the network – before, during and after attacks.

As of May 1, 2014, we can confirm Cisco customers have been targets of this attack. For the latest coverage information and additional details see our new post on the VRT blog.

Protecting company critical assets is a continuing challenge under normal threat conditions. The disclosure of zero-day exploits only makes the job of IT security engineers that much harder. When a new zero-day vulnerability was announced on April 26, 2014 for Microsoft Internet Explorer, corporate security organizations sprang into action assessing the potential risk and exposure, drafting remediation plans, and launching change packages to protect corporate assets.

Some companies however, rely on Managed Security Services to protect those same IT assets. As a Cisco Managed Security services customer, the action was taken to deploy updated IPS signatures to detect and protect the companies critical IT assets. In more detail, the IPS Signature team, as a member of the Microsoft Active Protections Program (MAPP), developed and released Cisco IPS signature 4256/0 in update S791 and Snort rules 30794 & 30803 were available in the ruleset dated 4-28-2014. The Cisco Managed Security team, including Managed Threat Defense, received the update as soon as it became available April 28th. Generally, Cisco Managed Security customers have new IPS signature packs applied during regularly scheduled maintenance windows. In the event of a zero-day, the managed security team reached out to customers proactively to advise them of the exploit and immediately were able to apply signature pack updates to detect and protect customer networks.

While corporate security organizations must still assess ongoing risks and direct overall remediations to protect corporate data, Cisco can take the actions to provide security visibility into the targeted attacks, increase protection with fresh signatures, and reduce risk profile for the corporate InfoSec program.

For more detail on the vulnerability, please see Martin Lee’s blog post.

More details about this exploit and mitigation information can be found on the following links:

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.